Community discussions

MikroTik App
 
cntx
just joined
Topic Author
Posts: 2
Joined: Tue Mar 28, 2023 2:23 pm

high CPU load of ssl when using SSTP

Tue Mar 28, 2023 3:51 pm

Hi,

we are using a CCR1009 as router for our internal network, with the latest stable RouterOS version 7.8.

We are using the SSTP server with our own certificate (via Let's encrypt).
After a few days we see that 1 of the 9 cores is working 100% of the time on the ssl process.
Disabling and re-enabling the SSTP server doesn't get it down to (nearly) 0.
We have to reboot the router to get the CPU usage back to normal.
If we disable SSTP, we don't get that high CPU load - even after months.

config part of VPN/SSTP
/interface sstp-server server
set authentication=mschap2 certificate=vpn.pem_0 default-profile=\
    ppp-profile-dialin enabled=yes pfs=yes port=444 tls-version=only-1.2

/ppp profile
add dns-server=10.200.0.19 local-address=pool-vpn-dialin name=\
    ppp-profile-dialin remote-address=pool-vpn-dialin \
    remote-ipv6-prefix-pool=kbd-v6 use-encryption=required

/radius
add address=10.200.0.19 service=ppp,wireless timeout=500ms

/ip pool
add name=pool-vpn-dialin ranges=10.200.10.10-10.200.10.254

Another specialty comes to mind: Twice a day the let's encrypt service on our Linux server checks if the certificate needs to be renewed. After each check we copy the current certificate to the mikrotik (without checking if it was changed).
At first we just deleted the old certificate and copied the current one to the Mikrotik.
Now we disable SSTP, wait 1s, delete certificates + copy current one, wait 1s, enable SSTP.
The latter course of action didn't change anything.

Does anyone have any ideas what I can do fix this problem?
Or do you think that it's just a bug?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: high CPU load of ssl when using SSTP

Thu Mar 30, 2023 5:27 am

check your system certificate settings, try disabling CRL download, and disabling use CRL
 
cntx
just joined
Topic Author
Posts: 2
Joined: Tue Mar 28, 2023 2:23 pm

Re: high CPU load of ssl when using SSTP

Thu Mar 30, 2023 12:30 pm

Thanks for the help.

I just checked, both options ("CRL Download" and "Use CRL") aren't active.

I just checked the configuration again: The file resulting from using "/export" doesn't contain any configuration of "certificate".

Who is online

Users browsing this forum: akakua, Bing [Bot], ItchyAnkle, Lumpy, menyarito and 95 guests